Slashdot Mirror

← Back to Stories (view on slashdot.org)

March To Be Month of PHP Bugs

Posted by kdawson on from the open-season dept.

PHP writes "Stefan Esser is the founder of both the Hardened-PHP Project and the PHP Security Response Team (which he recently left). During an interview with SecurityFocus he announced the upcoming Month of PHP bugs initiative in March." Quoting: "We will disclose different types of bugs, mainly buffer overflows or double free (/destruction) vulnerabilities, some only local, but some remotely triggerable... Additionally there are some trivial bypass vulnerabilities in PHP's own protection features... As a vulnerability reporter you feel kinda puzzled how people among the PHP Security Response Team can claim in public that they do not know about any security vulnerability in PHP, when you disclosed about 20 holes to them in the two weeks before. At this point you stop bothering whether anyone considers the disclosure of unreported vulnerabilities unethical. Additionally a few of the reported bugs have been known for years among the PHP developers and will most probably never be fixed. In total we have more than 31 bugs to disclose, and therefore there will be days when more than one vulnerability will be disclosed."

2 of 292 comments (clear)

  1. Partially surprising by Anonymous Coward · · Score: 5, Insightful

    I really shouldn't be surprised at the PHP team's approach to security any more, but it really does still surprise me from time to time. It's amazing, but the PHP team are worse than Microsoft ever were with security. And they don't even learn from this - they've had this attitude for as long as I can remember (PHP 3 days), and they just aren't getting it. Or rather, if they get it, they just don't care.

  2. Re:So, PHP means ? by Anonymous Coward · · Score: 5, Insightful

    No, PHP is quite insecure. The libraries, the interpreter, and most PHP software are all poorly written.

    And if inexperienced scripters is really the major problem, then the PHP developers need to take them into account when developing PHP. This means that the PHP developers need to add features to their product that help prevent such inexperienced people from writing easily-exploitable scripts. There has been some work done in this area, but it's been minimal, and so far ineffective.

    Yes, inexperienced developers probably are responsible for many of the problems. But the more experienced (I would hope) developers of PHP itself need to step up to the plate, and do their part to deal with the problem of inexperienced developers writing poor code. Even if they don't do it in order to offer a better product, they should do it to save the few remaining strands of their reputation.